1. Technical Field
The disclosed technology relates to controlling access to and operations on computerized artifacts.
2. Background Art
Protection of a computerized artifact requires two orthogonal services. An authentication service establishes the level-of-trust or certainty as to the identity of the actor/user and an authorization service verifies that the authenticated user is authorized to perform the requested operation on the computerized artifact. Many systems support methods for end users to administer their own authorization policies, but there does not exist any compatible technology to allow end-users to administer their own authentication policies.
Traditional security policies have engendered the concept of a firewall perimeter to separate an Enterprise Intranet from the Internet to provide security for sensitive digitally-encoded information. This concept is no longer viable for the increasingly mobile, telecommuting workforce that is empowered by the widespread use of pervasive computing devices and high-speed Internet. These traditional security measures have been limiting the user experience and reducing the productivity of the user.
A firewall is a hardware and/or software solution for enforcing security policies. A firewall can be analogized to a door lock on a perimeter door in that only authorized users with a key or access card can enter the perimeter. The authorized user has all access provided by the administrator to the protected computerized artifacts once the user is past the firewall (for example, via a virtual private network (VPN) or by physical presence within the perimeter). Outside the firewall, the authorized user has no access to the computerized artifacts that contain or generate the sensitive digitally-encoded information other than what is provided to the public.
FIG. 1 illustrates a prior art firewall protection system 100 typically used to protect computerized artifacts that reside on, or are accessed by an enterprise mainframe computer 101 or an enterprise workstation 103. The enterprise mainframe computer 101 and the enterprise workstation 103 are typically connected by an intranet 105. A trusted person 107 can operate on a computerized artifact (not shown: that may contain sensitive digitally-encoded information) using the enterprise workstation 103 or the enterprise mainframe computer 101. The fundamental assumption that justifies the firewall 111 is that each device and person within the firewall 111 (within the firewall perimeter) has a level-of-trust and is authorized for the operations that person can perform on the computerized artifact. The level-of-trust is established by the person being allowed within the building or other secure area. Nevertheless, the trusted person 107 can make a copy of the computerized artifact or of the sensitive digitally-encoded information it contains onto a personal data device 113 (for example, a flash memory device, laptop computer, cell phone etc.) while within the firewall 111 and then physically carry the personal data device 113 outside the firewall 111. Furthermore, the trusted person 107 often has access to a home workstation 115 and when at home can often obtain or operate on the computerized artifact through a firewall access 117 portal (for example by use of a VPN).
However, once a copy of the sensitive digitally-encoded information is removed from within the firewall 111 (for example, by making a copy of the sensitive digitally-encoded information on the personal data device 113 or on the home workstation 115) control of the sensitive digitally-encoded information is lost as if a firewall gap 119 existed in the firewall 111. Once control of the sensitive digitally-encoded information is lost, an un-trusted person 121 can obtain access to it directly or indirectly from the trusted person 107 (for example, through theft, accident, or other well publicized approaches, etc.).
Within the firewall 111 there are well-developed and understood processes for controlling access to sensitive digitally-encoded information by using access control policies (ACP). However, there are no corresponding processes for authenticating who should be subject to the access control policies other than by controlling access to a physical location (such as controlling access to secure areas via bio-metric, authentication, etc.) and equivalents such as VPN access. Moreover, these within-firewall processes do not control access to sensitive digitally-encoded information that is removed from within the firewall 111.
Since massive amounts of data can be stored on laptops, thumb drives, cameras and cell phones as well is on devices the size of a thumbnail, and because it is convenient to do so, sensitive digitally-encoded information is often copied and transported outside the firewall 111. This exposure makes the sensitive digitally-encoded information less secure. Traditionally, governments and businesses have attempted to control this risk via written policies and assertion of legal or employment consequences for transporting the sensitive digitally-encoded information outside the firewall 111.
However, there are many ways that even novice computer users may unintentionally transport the sensitive digitally-encoded information outside the firewall 111. For example, some operating systems will transparently make local copies of a computerized artifact containing the sensitive digitally-encoded information on a portable computer to protect against network or server disconnects. Using this capability means that a copy of all or a portion of the sensitive digitally-encoded information may reside on the computer even after access to the sensitive digitally-encoded information is complete. When the portable computer is removed from the firewall perimeter (for example, taken on a trip or to a person's home) the information is removed from within the firewall perimeter.
Unlike a physical briefcase that can be inspected for papers or materials with human-visible security markings, artifacts saved in the personal data device 113 cannot be distinguished between those that have sensitive digitally-encoded information and those that do not. Thus, no security guard can be expected to detect such threats by examining the exterior of personal data device 113, and examining the computerized artifacts stored in the personal data device 113 is impractical.
To control the risk to the sensitive digitally-encoded information governments and companies implement policies that generally impede their workers' productivity (for example by implementing policies that prohibit all personal data device 113 from crossing the firewall perimeter, policies that require that the employee only work on sensitive digitally-encoded information while at a specified computer within the firewall perimeter, etc.). These policies can increase employee dissatisfaction and can thus increase the risk to the sensitive digitally-encoded information.
Another aspect of protecting sensitive digitally-encoded information is that often the only person who knows whether the information is sensitive or not is the person working with the information. Often that person is the person who classifies the information as sensitive. A system administrator cannot determine the information's sensitivity because they do not have the understanding or the training to assess the information's sensitivity. Furthermore, situations exist where such an employee has need-to-know access to the sensitive digitally-encoded information but that employee's supervisor does not have need-to-know access to the sensitive digitally-encoded information. Thus, neither the employee's supervisor nor a system administrator can specify the level of protection needed by the sensitive digitally-encoded information. Thus, the person determining the sensitivity of the sensitive digitally-encoded information can be the person who is inconvenienced by the sensitivity rating applied to the sensitive digitally-encoded information. This situation could cause the person to under estimate the level of sensitivity. What is needed is some way to minimize the impact on the person's ease-of-use so that he/she will be motivated to appropriately protect the sensitive digitally-encoded information.
Digital Rights Management (DRM) and Application security options (such as provided by Adobe Systems Incorporated's Acrobat® products, Microsoft Corporation's Office products, and compression products such as 7-ZIP and those provided by WinZip International) provide some level of access control to computerized artifacts. However, this protection is limited to an all-or-nothing approach where, for example, once a password is used to open the computerized artifact, the computerized artifact remains open and is not responsive to changes in the user's context. In addition, the features made available after opening the computerized artifact are not dependent on the user's access environment, although it may be inappropriate if the user's access environment changes while able to access the computerized artifact. The user's access environment for example, can represent the characteristics of the client device and the networks, protocols, credentials, general environment (such as time of day, location), etc. used by or affecting the client device to allow the actor to operate on the computerized artifact.
Protection of a computerized artifact requires two orthogonal services. An authentication service establishes the level-of-trust or certainty as to the identity of the actor/user and an authorization service verifies that the authenticated user is authorized to perform the requested operation on the computerized artifact. Many authentication and authorization systems provide tools to simplify the use of these authentication and authorization services, both of which are needed to identify a user and to determine whether that user is allowed to operate on a computerized artifact. Many of these systems enable end-users to administer access control policies (commonly represented by access control lists on the computerized artifacts) which are enforced by the authorization service. Some of these systems enable system administrators to supply login modules and policies for the authentication service through deployment descriptors and/or configuration files.
The US Department of Defense's DOD-5015.2 standard for Records Management introduced the concept of supplemental markings to be part of its regular access control solutions. This standard stipulates that each record instance can be associated with supplemental markings that elaborate on or clarify document handling. The user objects can also be associated with the same set of supplemental markings. The file plan creator can specify how the supplemental markings determine whether the user can access the record, using rules such as (1) the user's markings must be a superset of the record's markings, or (2) the user's markings and record's markings must have at least one element in common. DOD-5015.2 standard stipulates that the file plan creator can specify the access control rules to be applied using the supplemental markings, but the DOD-5015.2 standard does not enumerate the choices for the markings nor the rules. The DOD-5015.2 markings are generally used to define authorization policies. DOD-5015.2 did not provide use-cases for markings to define authentication policies.
There are many known technologies to perform authentication including Basic authentication, Certificate authentication, Smart Card authentication, Password authentication, Biometrics authentication, etc. One skilled in the art will understand that existing authentication technologies include: “No authentication” where no trust is established; “Basic authentication” where the trust establishing information is sent in the clear (for example a Dual-tone multi-frequency (DTMF) key sequence or a voice PIN without end-to-end encryption support or for passwords sent on a non-SSL link); “Password authentication” where the trust establishing information is a user name and password that is obtained in a secure manner; Biometrics authentication that uses a biological characteristic of the user (such as fingerprints, signature and voice biometrics) to establish the level-of-trust; and “Certificate authentication” where the level-of-trust is established using cryptographic certificates;
Well known Password authentication technologies include Digest, Form, Kerberos, SecureID, and Radius authentications. One skilled in the art will understand these and similar technologies.
Well known Certificate authentication technologies include ClientCert, SmartCard, SIM, WIM, and SIM-WIM. One skilled in the art will understand these and similar technologies.
Confidentiality/Privacy of the computerized artifact can be established through the use of well-known encryption technology such as used to establish Secure Socket Layer (SSL) and Transport Layer Security (TLS) connections as well as VPN connections. One skilled in the art will understand that HTTPS represents the use of HTTP protocol over a SSL or TLS connection; and S-HTTP represents the end-to-end encryption support for a single HTTP request/response cycle. S/MIME, PGP, and RIM are various encryption techniques for e-mail messages. Such a one will also understand S/MIME, RSA's public key encryption technology, PGP and symmetric key encryption. Such a one will understand that TLS can be combined with the Simple Authentication and Security Layer (SASL) protocol to negotiate for a desired connection type. These technologies can also support the Integrity of the computerized artifact while in transit or when stored on a client device. Existing cryptographic technologies can also provide a nonrepudiation protection to assure that an actor cannot deny having performed an operation on the computerized artifact.
Device identification (which is not actor authentication) is the technology that enables a server to automatically identify the same client device for sessions subsequent to the first session. The Liberty Alliance Project has defined an open standard for identity federation and identity brokering protocols. This standard augments the authentication and Single Sign-On (SSO) functionality. This standard includes support for pseudonyms (which are unique and persistent within a federation) to preserve the anonymity of the users.
One skilled in the art will understand that an access control policy is a set of policy statements of the form (“Subject”, “Privilege”, “Object”) defining the privileges that the Subject (actor/user) has to act on the object (computerized artifact). Many systems use a hierarchy of Subjects, Assigned Privileges, and Objects to more concisely specify the access control policy. It is common to use “Groups” to represent sets of Subjects, “Roles” to represent named sets of Assigned Privileges, and “containers” to represent sets of Objects. Some Role-Based Access Control systems model Role as a mapping of Subjects to Assigned Privileges, and therefore, use the Roles to represent a grouping of Subjects and Assigned Privileges.
In prior solutions, partial orderings of principals are represented by the hierarchy of roles in the role-based access control models. The role inherits the privileges from its super-roles. For example, an employee can be a super-role of the manager because manager is also an employee. The manager role inherits the privileges from the employee role. However, standard role-based access control models do not support negative privileges.
What is needed is a way to provide some discretionary and graduated control of access to computerized artifacts (in particular to computerized artifacts that contain sensitive digitally-encoded information) resulting from knowing what the access environment is between the actor and the computerized artifacts. If the access is attempted in a less protected access environment fewer operations on the computerized artifact should be allowed as compared to the operations allowed on the computerized artifact in a more protected access environment. Another long-felt need is for a user to be able to specify a detailed access profile (including access environment characteristics) that can be used to control operations on the computerized artifact instead of the course grained control provided by traditional access types and Role privileges of users within the firewall perimeter. In addition, another need is to securely protect computerized artifacts after they have been downloaded to some client device.